For businesses large and small, relying on a cloud-based collaboration and productivity suite such as Microsoft Office 365 is becoming the norm. Enhancing productivity in your organisation is vital to get ahead in 2017 - and using Office 365 can help, if it's used right...

Oracle 9i: the unbreakable broken

Three advisories pinpoint serious flaws

Oracle is treading on increasingly shaky ground with its 'unbreakable' marketing campaign, after no less than three advisories went out yesterday pinpointing security flaws in the 9i database and the 9i Application Server.

Although Oracle's slogan for the 9i database is "Can't break it. Can't break in", a recently discovered remote compromise in the database server, and a file access vulnerability and buffer overflow in 9iAS, may have something to say to the contrary.

With the remote compromise it may be possible for an attacker to masquerade as an Oracle process and execute any function in any driver on the file system without the authentication of a user ID or password.

According to reports, Oracle was alerted to the vulnerability last summer and provided with working exploit code in October. It is currently investigating the issue and working on a patch.

There are also multiple buffer overflows in the PL/SQL (Procedural Language/ Structured Query Language) module for Oracle Application Server running on Apache that allows the execution of arbitrary code. A non-overflow denial of service vulnerability also exists.

The Oracle 9iAS web service is powered by Apache and provides many application environments with the facility to offer services from the site such as Soap, PL/SQL, XSQL and JSP.

But a security issue exists in the OracleJSP environment where an attacker can get access to the source code of the translated JSP page. And there is a second issue that relates to an attacker gaining access to the globals.jsa contents.

Oracle has released a patch for the buffer overflow, which is available from the company's website here. The advisories can be found on the Bugtraq security mailing list.

The 9i remote compromise advisory can be found here, the buffer overflow advisory can be found here and the file access vulnerability can be found here.